Wireless Access

Hi There,

I have recently taken over a role, and a more suspect network, I am seeing a few too many time outs at the moment, looking at the Auth Source I can see that they are not hitting the primary DC, but the backup first. I would assume that this is the cause of the time out, however I am unclear why the primary DC isn't working as it should. I haven't done a deep dive as yet (as no one is screaming ...yet) I just wanted to ask the community if you had any advice in this situation,

Regards

------------------------------
Stu Mills
------------------------------

Which port is used in your authentication source? 389 or 636?

- Can you do Search the AD three in the primary and backup configuration
- Are they both configured as 389 or 636 (LDAP over SSL)

Check the ClearPass Certificate Trust store and look if your uses just one root-ca certificate for the purpose of LDAP.

Check the monitor > event viewer for any logs.

Maybe try temporarily to run port 389 (without SSL encryption) for any changes. Strongly recommended to keep using 636 LDAP over SSL in production.

What ClearPass version do you run?

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACMP | ACCP | Ekahau ECSE | Not an HPE Employee | Opionions are my own
------------------------------

Original Message:
Sent: Feb 26, 2021 08:18 AM
From: Stu Mills
Subject: Authentication Source: ClearPass Showing that it's NOT hitting primary DC first

Hi There,

I have recently taken over a role, and a more suspect network, I am seeing a few too many time outs at the moment, looking at the Auth Source I can see that they are not hitting the primary DC, but the backup first. I would assume that this is the cause of the time out, however I am unclear why the primary DC isn't working as it should. I haven't done a deep dive as yet (as no one is screaming ...yet) I just wanted to ask the community if you had any advice in this situation,

Regards

------------------------------
Stu Mills
------------------------------

Original Message:
Sent: 2/26/2021 5:12:00 PM
From: mkk
Subject: RE: Authentication Source: ClearPass Showing that it's NOT hitting primary DC first

Which port is used in your authentication source? 389 or 636?

- Can you do Search the AD three in the primary and backup configuration
- Are they both configured as 389 or 636 (LDAP over SSL)

Check the ClearPass Certificate Trust store and look if your uses just one root-ca certificate for the purpose of LDAP.

Check the monitor > event viewer for any logs.

Maybe try temporarily to run port 389 (without SSL encryption) for any changes. Strongly recommended to keep using 636 LDAP over SSL in production.

What ClearPass version do you run?

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACMP | ACCP | Ekahau ECSE | Not an HPE Employee | Opionions are my own
------------------------------

Original Message:
Sent: Feb 26, 2021 08:18 AM
From: Stu Mills
Subject: Authentication Source: ClearPass Showing that it's NOT hitting primary DC first

Hi There,

I have recently taken over a role, and a more suspect network, I am seeing a few too many time outs at the moment, looking at the Auth Source I can see that they are not hitting the primary DC, but the backup first. I would assume that this is the cause of the time out, however I am unclear why the primary DC isn't working as it should. I haven't done a deep dive as yet (as no one is screaming ...yet) I just wanted to ask the community if you had any advice in this situation,

Regards

------------------------------
Stu Mills
------------------------------

Best Stuart,

If the switch to LDAP/389 give you the same result then it's not an SSL or certificate issue.

Note that ClearPass 6.7.x will soon become end of support 4-jun-2021. Also version 6.7.2 is (for some reason) not longer in available in the download repository and 6.7.3 was released 26-apr-2018. The latest release is 6.7.14+hotfix released on 25-feb-2021. So your running a very old version.

The good possibility your issue could be a bug and the best way is to work with Aruba TAC Support to assist you on this.

You don't have to be nervous for a upgrade, but planning and a well working backup is essential. 

• Do you have an hardware or virtual appliance?
• Do you have two ClearPass nodes in a publisher/subscriber configuration?

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACMP | ACCP | Ekahau ECSE | Not an HPE Employee | Opionions are my own
------------------------------

Original Message:
Sent: Mar 02, 2021 03:43 AM
From: Stu Mills
Subject: Authentication Source: ClearPass Showing that it's NOT hitting primary DC first

Hi,

To be honest I am not sure which certificate is attached to this process, it seems I have a number of certs, which are mostly disabled, I have enabled the first in the list to see whether I can track the cert info in regard to the errors/time outs

I did swap temporarily to Port 389, however that didn't seem to make any difference,

We are running  6.7.2.105008 however we would like to upgrade, but we are nervous to in case the system doesn't come back (as I do not have the creds for the back end of ClearPass-CLI etc)

What advantages would there be to upgrade?

--

Kind Regards

Stuart J Mills

Service Desk Analyst

working hours 0800-1600

DIS Dresden International School gGmbH
Sitz der Gesellschaft | Company Register: Annenstr. 9, 01067 Dresden
Registergericht | Court of registration: Amtsgericht Dresden, HRB 35540
Geschäftsführung | Executive Board: Steven Calland-Scoble, Andrea Harnisch

Original Message:
Sent: 2/26/2021 5:12:00 PM
From: mkk
Subject: RE: Authentication Source: ClearPass Showing that it's NOT hitting primary DC first

Which port is used in your authentication source? 389 or 636?

- Can you do Search the AD three in the primary and backup configuration
- Are they both configured as 389 or 636 (LDAP over SSL)

Check the ClearPass Certificate Trust store and look if your uses just one root-ca certificate for the purpose of LDAP.

Check the monitor > event viewer for any logs.

Maybe try temporarily to run port 389 (without SSL encryption) for any changes. Strongly recommended to keep using 636 LDAP over SSL in production.

What ClearPass version do you run?

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACMP | ACCP | Ekahau ECSE | Not an HPE Employee | Opionions are my own

Original Message:
Sent: Feb 26, 2021 08:18 AM
From: Stu Mills
Subject: Authentication Source: ClearPass Showing that it's NOT hitting primary DC first

Hi There,

I have recently taken over a role, and a more suspect network, I am seeing a few too many time outs at the moment, looking at the Auth Source I can see that they are not hitting the primary DC, but the backup first. I would assume that this is the cause of the time out, however I am unclear why the primary DC isn't working as it should. I haven't done a deep dive as yet (as no one is screaming ...yet) I just wanted to ask the community if you had any advice in this situation,

Regards

------------------------------
Stu Mills
------------------------------

Can you share the log that provides you the information that the primary authentication server is failing?
What is the type of your authentication source? Is it Active Directory?
Can you 'search' the primary server in the Authentication Source configuration screen?

If the primary authentication source is failing structurally, I would create a copy of your authentication source and swap the primary and backup such that the secondary that is working is taken first, while researching the issue. Apply that copy then in your service.

It may be wise to work with your Aruba partner or Aruba support, also to get your upgrade planned.

If you lost the CLI login credentials, you can reset the appadmin password by changing the 'cluster password' in the Cluster-wide parameters. The Cluster password and the appadmin account password for SSH/CLI access are the same.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Mar 02, 2021 03:43 AM
From: Stu Mills
Subject: Authentication Source: ClearPass Showing that it's NOT hitting primary DC first

Hi,

To be honest I am not sure which certificate is attached to this process, it seems I have a number of certs, which are mostly disabled, I have enabled the first in the list to see whether I can track the cert info in regard to the errors/time outs

I did swap temporarily to Port 389, however that didn't seem to make any difference,

We are running  6.7.2.105008 however we would like to upgrade, but we are nervous to in case the system doesn't come back (as I do not have the creds for the back end of ClearPass-CLI etc)

What advantages would there be to upgrade?

--

Kind Regards

Stuart J Mills

Service Desk Analyst

working hours 0800-1600

DIS Dresden International School gGmbH
Sitz der Gesellschaft | Company Register: Annenstr. 9, 01067 Dresden
Registergericht | Court of registration: Amtsgericht Dresden, HRB 35540
Geschäftsführung | Executive Board: Steven Calland-Scoble, Andrea Harnisch

Original Message:
Sent: 2/26/2021 5:12:00 PM
From: mkk
Subject: RE: Authentication Source: ClearPass Showing that it's NOT hitting primary DC first

Which port is used in your authentication source? 389 or 636?

- Can you do Search the AD three in the primary and backup configuration
- Are they both configured as 389 or 636 (LDAP over SSL)

Check the ClearPass Certificate Trust store and look if your uses just one root-ca certificate for the purpose of LDAP.

Check the monitor > event viewer for any logs.

Maybe try temporarily to run port 389 (without SSL encryption) for any changes. Strongly recommended to keep using 636 LDAP over SSL in production.

What ClearPass version do you run?

------------------------------
Marcel Koedijk | MVP Guru 2021 | ACMP | ACCP | Ekahau ECSE | Not an HPE Employee | Opionions are my own

Original Message:
Sent: Feb 26, 2021 08:18 AM
From: Stu Mills
Subject: Authentication Source: ClearPass Showing that it's NOT hitting primary DC first

Hi There,

I have recently taken over a role, and a more suspect network, I am seeing a few too many time outs at the moment, looking at the Auth Source I can see that they are not hitting the primary DC, but the backup first. I would assume that this is the cause of the time out, however I am unclear why the primary DC isn't working as it should. I haven't done a deep dive as yet (as no one is screaming ...yet) I just wanted to ask the community if you had any advice in this situation,

Regards

------------------------------
Stu Mills
------------------------------